diff options
-rw-r--r-- | kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch | 80 | ||||
-rw-r--r-- | kernels/linux-libre-lts-knock/PKGBUILD | 13 |
2 files changed, 89 insertions, 4 deletions
diff --git a/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch b/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch new file mode 100644 index 000000000..3f1bccc80 --- /dev/null +++ b/kernels/linux-libre-lts-knock/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch @@ -0,0 +1,80 @@ +From 2def2ef2ae5f3990aabdbe8a755911902707d268 Mon Sep 17 00:00:00 2001 +From: PaX Team <pageexec@freemail.hu> +Date: Thu, 30 Jan 2014 16:59:25 -0800 +Subject: [PATCH] x86, x32: Correct invalid use of user timespec in the kernel + +The x32 case for the recvmsg() timout handling is broken: + + asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct compat_timespec __user *timeout) + { + int datagrams; + struct timespec ktspec; + + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + + if (COMPAT_USE_64BIT_TIME) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, + (struct timespec *) timeout); + ... + +The timeout pointer parameter is provided by userland (hence the __user +annotation) but for x32 syscalls it's simply cast to a kernel pointer +and is passed to __sys_recvmmsg which will eventually directly +dereference it for both reading and writing. Other callers to +__sys_recvmmsg properly copy from userland to the kernel first. + +The bug was introduced by commit ee4fa23c4bfc ("compat: Use +COMPAT_USE_64BIT_TIME in net/compat.c") and should affect all kernels +since 3.4 (and perhaps vendor kernels if they backported x32 support +along with this code). + +Note that CONFIG_X86_X32_ABI gets enabled at build time and only if +CONFIG_X86_X32 is enabled and ld can build x32 executables. + +Other uses of COMPAT_USE_64BIT_TIME seem fine. + +This addresses CVE-2014-0038. + +Signed-off-by: PaX Team <pageexec@freemail.hu> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Cc: <stable@vger.kernel.org> # v3.4+ +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + net/compat.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index dd32e34..f50161f 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -780,21 +780,16 @@ asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg, + if (flags & MSG_CMSG_COMPAT) + return -EINVAL; + +- if (COMPAT_USE_64BIT_TIME) +- return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, +- flags | MSG_CMSG_COMPAT, +- (struct timespec *) timeout); +- + if (timeout == NULL) + return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, NULL); + +- if (get_compat_timespec(&ktspec, timeout)) ++ if (compat_get_timespec(&ktspec, timeout)) + return -EFAULT; + + datagrams = __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen, + flags | MSG_CMSG_COMPAT, &ktspec); +- if (datagrams > 0 && put_compat_timespec(&ktspec, timeout)) ++ if (datagrams > 0 && compat_put_timespec(&ktspec, timeout)) + datagrams = -EFAULT; + + return datagrams; +-- +1.8.5.3 + diff --git a/kernels/linux-libre-lts-knock/PKGBUILD b/kernels/linux-libre-lts-knock/PKGBUILD index f34bf5a35..d008ca244 100644 --- a/kernels/linux-libre-lts-knock/PKGBUILD +++ b/kernels/linux-libre-lts-knock/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 204715 2014-01-25 20:46:36Z andyrtr $ +# $Id: PKGBUILD 204934 2014-01-31 16:13:52Z bpiotrowski $ # Maintainer: Tobias Powalowski <tpowa@archlinux.org> # Maintainer: Thomas Baechler <thomas@archlinux.org> # Maintainer (Parabola): André Silva <emulatorman@parabola.nu> @@ -13,7 +13,7 @@ _basekernel=3.10 _sublevel=28 _knockpatchver=${_basekernel} pkgver=${_basekernel}.${_sublevel} -pkgrel=1 +pkgrel=1.1 _lxopkgver=${_basekernel}.28 # nearly always the same as pkgver arch=('i686' 'x86_64' 'mips64el') url="http://linux-libre.fsfla.org/" @@ -32,7 +32,8 @@ source=("http://linux-libre.fsfla.org/pub/linux-libre/releases/${_basekernel}-gn 'boot-logo.patch' 'change-default-console-loglevel.patch' 'criu-no-expert.patch' - "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.bz2") + '0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch' + "http://www.linux-libre.fsfla.org/pub/linux-libre/lemote/gnewsense/pool/debuginfo/linux-patches-${_lxopkgver}-gnu_0loongsonlibre_mipsel.tar.xz") md5sums=('d562fd52580a3b6b18b6eeb5921d1d5c' '1eeedf694bd64b34a031ac27549bc7a3' '26380d6f05471ef8e065a77d87588009' @@ -44,6 +45,7 @@ md5sums=('d562fd52580a3b6b18b6eeb5921d1d5c' '04b21c79df0a952c22d681dd4f4562df' 'f3def2cefdcbb954c21d8505d23cc83c' 'd50c1ac47394e9aec637002ef3392bd1' + '336d2c4afd7ee5f2bdf0dcb1a54df4b2' 'cec0d90f5d3fae8752b0020c6b785954') if [ "$CARCH" != "mips64el" ]; then # don't use the Loongson-specific patches on non-mips64el arches. @@ -78,7 +80,10 @@ prepare() { # allow criu without expert option set # patch from fedora patch -Np1 -i "${srcdir}/criu-no-expert.patch" - + + # CVE-2014-0038 + patch -Np1 -i "${srcdir}/0001-x86-x32-Correct-invalid-use-of-user-timespec-in-the-.patch" + if [ "$CARCH" == "mips64el" ]; then sed -i "s|^EXTRAVERSION.*|EXTRAVERSION =-libre-lts-knock|" Makefile sed -r "s|^( SUBLEVEL = ).*|\1$_sublevel|" \ |